If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ATTENTION: Windows 10 users

Beta 2 build is now available!

If you just upgraded to Windows 10 or running build 10240 or greater of Win 10 pre-release you will need to download and install the new version of ZoneAlarm 14.0.157.000

Trojan/bot got past ZoneAlarmPro + NortonAV; help!

Background: I've been using ZoneAlarm Pro since at least v4.5 (if not earlier)... not a newbie. I currently have 7.0.483, on a Windows XP/SP2 machine, along with Norton AntiVirus (2008, since newer revs don't co-exist with ZAPro), but all NAV definitions are up-to-date, and this is NAV-only, not one of the "suite" products, and the built-in firewall is disabled so as not to conflict with ZAPro.

I also run Windows Update regularly, particularly in the few days after each month's Patch Tuesday.

The problem began when I noticed pop-unders of the home page for an affiliated web site, for a site I stumbled across while surfing. It's literally been years since I saw an unexpected pop-up (never mind pop-under) with the combination of ZAPro and NAV. At first I thought it was just benign cross-site marketing (since the two sites ARE affiliated).

Then I noticed overall slower performance, started looking closely at the ZA logs and i noticed there were a lot of connections being made to other IP addresses, with no apparent good reason. The vast majority were being made by winlogon.exe ... so I tweaked its out-of-the-box ZAPro configuration to give me an Alert every time it connected to a new address. (I went to ZA Program Control for the Windows NT Logon Application (aka winlogon.exe), and added an Expert rule that Allows, with an alert and a log entry, connections to the Internet and Trusted zones using any protocol at any time, just so I can see 'who' it's talking to.)

Most of the addresses/URLs are unfamiliar. I tried blocking some, but that didn't stop it from reaching out to others.

Sounds like my machine has been turned into a bot! Perhaps with a bogus "winlogon.exe"? There are a total of a half-dozen copies on my disk, all of various (but close) sizes and dates; 3 of them share the same version ID (5.1.2600.2180) and size, but one of those has different dates, as do all the other 3. None has a modified or created date within the past year. (Earlier today, I thought I had located another copy in \PreFetch with a very-recent modified date, but it's not there now. I don't understand the Windows \PreFetch mechanism; would this be a plausible "attack vector" for a bogus winlogon.exe?)

I have done full spyware scans using ZoneAlarm (which, ONLY by using a Full-System scan, found 5 alleged Trojans which I quarantined... but none of those were in winlogon.exe. Subsequent research via Google indicates that at least a couple of those 5 are false-positives... and unfortunately, the quarantine does not display where the files were originally located. In any event, the winlogon outreaches are still continuing, so quarantining those 5 didn't solve the problem.

Similarly I did full updates and scans with Norton AV, which found nothing. I will try some other spyware scanners (e.g. AdAware Free) shortly.

What else can I/should I do??? I don't like the idea that my machine may be being used to infect others, and nothing is detecting the infection. What malware solutions would be good to investigate?

Timeline: Noticed the pop-unders about a week ago. Identified (and enabled alert/logs for) the winlogon.exe activity in the past two days.

Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

You might watch task manager to see if you can connect the internet activity with some process. Click the CPU to put the highest usage at the top. When you think you see one, click on it so you can follow.

Process Explorer is a more detailed version of Task Manger if you want to try that. Download it from Microsoft.

Why disable system restore? (perhaps to keep from saving a restore-point that incorporates this temporary configuration?)

Why safe mode with networking? (why not just-plain safe mode, unplugged from the network? That would be my inclination)

Is there a summary somewhere of why this requires V9? Based on recent-past ZoneAlarm upgrade experiences ... particularly 5.5 to 6, and 6 to 7 ... I'm VERY VERY hesitant to upgrade without allowing LOTS AND LOTS of time to do it and to wrangle with side-effects.

Is a 7-to-9 direct upgrade possible, or do I need to go to 8 along the way?

Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

Why disable system restore? (perhaps to keep from saving a restore-point that incorporates this temporary configuration?)

Why safe mode with networking? (why not just-plain safe mode, unplugged from the network? That would be my inclination)

Is there a summary somewhere of why this requires V9? Based on recent-past ZoneAlarm upgrade experiences ... particularly 5.5 to 6, and 6 to 7 ... I'm VERY VERY hesitant to upgrade without allowing LOTS AND LOTS of time to do it and to wrangle with side-effects.

Is a 7-to-9 direct upgrade possible, or do I need to go to 8 along the way?

Just skip everything and have your system check by malware experts, last point. That was the purpose of the link!